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Abstract 

Methods, systems, and software for installing and operating selected software applications on a client I 
computer that is in communication with a server computer on a computer network are described. In . 
one aspect of the present invention, a method for controlling the degree of access to operating system 
resources for a software program running on a computer that is running said operating system is 5 
provided. The degree of access to the operating system resources is defined for the software program, , 
and at least one file including instructions for executing the software program is loaded on the ! 
computer from the server computer. The file is examined to determine the degree of system-level 
access available to the software program when the software program is being executed by the \ 
computer. The software program is executed, and a program instruction associated with the software : 
program is intercepted when the software is being executed on the computer. A determination is then j 
made to determine if the program instruction includes an operation that is outside of a degree of \ 
system-level access that is available to the software program, and if it is determined that the software j 
program has permission to access system-level resources associated with the computer that are 
within the degree of system-level access available to the software, the program instruction is 
executed. 
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1 . A method for controlling the degree of access to operating system resources for a software 
program running on a computer which computer is running said operating system, the method 
comprising the steps of: 

(a) defining said degree of access to said operating system resources for said software program; 

(b) examining at least one file associated with said software program to determine the degree of 
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[0012] JjeLfcHWWMjft. C:fctrts«WItf>ffls 

^!B« ^j^ji . ffiw^aa fc t h izttTnimrmti 

[00 13] 
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[0014] 771/7 M:J:^yXfA'jy-X^7 

[00 15] #3Kflfc:J;4— OSD*-/ N7~^^\ 01 

fs. ^fyh7^7M02^J:^l04. &£tfC*r-t 
1 0 6X'^ZtihmK<r>9VU^yV*— ****4*VCV* 
h. ^yVv^ vY \ 0 2&J:L<1 0 4<7)fifit«. 02 

^x-f ( "G/W" ) £tf-LT ziyfjL-?*-/ h*7— 

h7-7C^f y^-*-/ N^l^c 01 

ti. 1 0 SXimm^tiX i ^ >f > * - * v h 5: 
itLX „ yb7^7 h 1 04^J:t;a-f 1 0 6CS 
^fyh7^7M02MyM-/h 
1 0 8i:coH^S^{±. 1 1 OiitL 

Xfthtlh. y-h^x-f 1 1 Oli, >fyh7*7 h 1 
0 2h. Ovy (backbone) j . "f&ib^SS 

fi^-?^ >1 1 2fc. tc»&$ivO*4. SSfi^ 
>fyi l 2a>£><0r r -?l2. y-h^x-T 1 1 4r^L 
T<3£5*U >fy^7M0 85:H), W2^— h 
^x>f 1 1 6rjI5&LT> flr^l 1 8-C*S*l6KS* 
f-^7^y(:AS. 3yKa-**7h7- 
SSW-C&iH^Hfe^Jrot^ VI 18 

J±. f-^7^fyl 1 2 fclSJttOT'&^T £> 
Sottf6^«*2r«A* ifk*-y hv-? 

[0016] >f yb7*7 M0 2^^>-f V9—*v Y 
1085:10. Z^Zfo&^-9 ?4 y\ 1 8ZMtX 
&Wrf&T-?lZ. y-h^x-f 1 2 0 2r&SfiLT>f v 
h7*7M04CIS*\ 4fe«y-h^x>f 1 24 

BBLfeH*6»SB^J:<itf. i-f 10 6. >fvh7^-/ 
h 1 04. ^i^^h^^'/h 1 o 2*>ia-ex-*& 

i5C>fyM-y h 1 OStaBftL-C^IWi^fc* 5 
&4lr*l±x— J »f 1 06t-f Vh?*7 M 04h 
cr>fflW<y9tf-yl 1 8€riiiS-rSC:fc*^#S. — 
ScoHM^STii. >fyh7^7hl04t>fy}>7* 
7M02I1 r x ^Xh7*7 Mextrane 

t)] i: LTffl^ilT^S^v hv— ^fU^Sr^LTiSS 

hy-^^fflA^ffl^-^^Sr^LTU^-b 

<7>mmi. mixw*Ji*tizi:o%4 ^-*7hti 

-^tt*^. PIi(fISDN^T-lf-^7^yr^f 
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ZffifS. ft h . 3yta-^-yh7 

- 7 a j: t>'msuifi}?» %m%^m ^x-h h . 

[0017] 01 l^^tfff 1 0 2^7^(i 1 04tf 
* ix-l> J: 3 &-f y h 7 * •/ h- <0-|Si£^!BA\ 0 2 

5 0li, 77'fT>-h62^ t fcD c 64(C^$iX^: H f- 
A6 0ft#X/C'V».5. SIC- t-A6 0ll /-K68 
-e^§ixl>J:3&/l/-:''. ^7££(±ig«^*-?ilSj* 
HS^LT. ??v7 0. 7 2. £>J:t>'7 4-?^$il& 

r-fl^ r-7/f yfta^T. i^ii^^A^lsittco^a 

c h d*"c# & . — &<?>mTii . -< v h 5 * ••/ h 5 o 
-iVi m&izj: -> xmmz®mztih . 7-mt*<— 

h -7 x 4 *iB*r 4 C a fCJ: 0515:^- C & 

[0018] as. ^f-^*{±. f-^'tafiSr^aa^ 

7h^i7f. £*:li/l<-: > *3:i:*<OgSft*rL, 

-c. sft-rs. -t-A. /t — ^. tsxt/wmf^JT 

-a'6 0I1 "7-/PHV-f K^i/iJOf- ^ft&S*: 

tf. ^-v-ceotcios^^ix-sx-^Ji. ftiMWrr 

7^1fy7h^x7ftJ^Ti«^5CfcOT£S'<.-i/" 

7 f-^CD^tp^-f . #U 7*/l/-7'JH 

y\*o7/l/h?)Sun Microsystens*>£>7tilK£ft.-C^S J a 

va (ffig) ray^s^^mis-cs^^ ""rru-y 

hj ^5t£03>-fx-^y7 K'7x7ft3eia-f Si^C 

IZ4 VX\ — /UZtlX^ZV 7 h *7x 7 i SPILTH 
J: 3 KflDfcSitrt: V7b7x 77n/ 7 A<o.r i r* 

7i7ii, ±je«07*7"7ify7h^xrT*5. as. 

77l/-/Mi. 75>>fy7 J-'7x7gll'#3l*rt&J: 
a KWlSSilT V ifrl OftJE;? 7 7 ftj£rrf S Z b 

771'-/ h*^'7>'n-K-r2,JL— fJi, T 

7U7 h'5rfr{i7*7'7ify 7 b*? x.Ttmmx'%%^ 



itjlrtg&ft 7vWV 7 h->i7{:^SCtm 

[0019] — ffitC. 77-f77h. W£tf77-f 7>- 
r-6 2J±. a--ifx-5/x>h. o£9 77>7¥. ftffl 
\,^X-*T-s<6 0^cr>u$£L*:'ft'j . a-fl-y'iVh 
£(2. # 'J 7 tHr—TW^T/V hOSun Microsystems 
ttA J rfTl5-f 5 H o t J a v a (jgg) * 'J 7*/t/- 
7;W"? T 7 yf ^t'i — CONetscape Communications&A* 
TfTBR-r SN e t s c a p e&-£s.tlh. tzfzL. Ztth 

\,zm%.zti&i>cox'i,&tc^. hzmsmmx-a. ^-—f 

x-£/'x>-Mi. — mz. 77U7h3-H5:^ftl, 
fmxyityb. rru-y h* 5 #^yXfi'J y-x 

[00203 hhW&Bm.X-\i. 4 b±£fz 
Ii>fxh7*7 hrt(cEB$ix-5^-A<*v 771/7 h 
r^-fl. 7 77 7 r >f ^m^7X5 -f 7*7 U ft 

va (ffiS) ;5X7-f 7*7UTJ.S. ftflcWtC^S 
fc, ^->><«, 771/7h*«fi£fl.^7X77'f^ 
fc. 77U7 h$r#Bl-r4HTML3-H$:^^^ 

[0021] *f&wcnf,&mimmi.z2iti{i . 77U7 

y-xnyta-^. •f^:i5*.-9--'''** l ^^7^ 
T y h V 1/ >-{c T*^ >• o — H $ itJt 7 7 7 7 r A 
IVXfVXtE&thZbtfX'lih. Ztl!>cr)7 7X7 
t4iUZ. — -xr>T— i]4-r-7T4iVKz7A'— Tibti 
ZbtfX'Zh. JS.IZ* T-/}4 7'7T4Mi. T4 : J9 

/PS«*:ftftS*>. $ hernia-?-? zm-zbtfx- 

b<7)1SM (origin) £1&mi l zmrt-ZZbtfX'Z&. Z 

<r>\k. 77U7 bi^mn^tix^^^yipb'^XT 

A'jy-7{C77-fe7.-C#S*»2rf18FrrS7t:^c. 7— 
* /f 77 r 4 /K0g=fe ftSSS-T 5 C i: j&'-C-S S . 
(i/7^-r) Srffl^SJlfcCtO- 77l/7hC<tS 
7 7>f ?y h-7i/>-i7)i/XxA 'J y — X^i077-t7 
ft. 0i|7:{f77l/-/ hOfiJS-CJ>6-9— a'^a'Jt 
-< *QB*#BW4 i b lz£ 0 . SlW-f S - 1 S . 
«-77/f 7>-h±«077l/7 ht^JD-rSHF 5 ! 

ifWzh^ftfo hb^o t> . — miv^ry 

f-±tHlfft5771/7hli. §5 2c077 4 7>r-±-C- 
iJ,^-fl»(5l-^77Uv StUS^77-t^t?rt 
■fS^^'S)?.. MoT. wC7)yy-777-fe7¥JffllC 

io. s^^vi/y. ^tfyy-xft-^trvi/ytR 

Wyh7*7hrt^Vi/y. lC*tto-f£77l/ y h 
A 1 . ^-C^^i/V. Pli-ii"^ y?-*7 h±i7)-7i/ 
(w»JC-rS77l/ /hJ:0tyy-X^77-t7, 
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C 0 0 2 2 ] H3 (a) it. *3gW<0-*iSB!BitcSS 
7 5X7r^7)m£7>iS8S0T'&2>. -7)7 5Xr- 
77r-f;H^7t-77 Mi. V-/<±.-e— 

a. c^i^'fff^w^^x. f?uif7 7x "i" 

2 0 2. 7 5X "2" 2 04, i>J:t/7 5X "N" 2 0 
6. £*tfJ:3fc:$ro"0*4. 7 57li. ZWyXfr 
hZ<Dmzffif$.Ztl&&m<7)T7l' -v btzmtf<7>-r-f 

V ^X. S77 h^xTflSiii LT 

S8LttJ:i\ T 

£]&t hZbizX 0 HMc-f S <I i * { T'£ S . #-<0 7 7 

x^ffl^r^rri/ y h £«i£-f s - 1 t*rffir* 

[00 2 33 rrU /hcOHtftti. y^f^'JV-X 

7rU7Hi*<*«K:5^fi!/y 
-7(;7?txf4^^5:^t^ttJ:^* 1 . 
■fcJfx'J-TM £#lTf&i:. m^EOTgtl- 
iMift<7>TT'li. ^OvX-rA'jy-X<9£-C^7>T7 
-feX*-S=»r;Sft&;0». 2fc(21$£O^X-fAl/y-XC7) 
I vf ft £ t, T 7 -fe Xiffi*! ZhXc^i]*r>Z*>Cy1)*btc 

Z<F> r*-ll> - *T • t-yy^j 77n-fli, -f> 

STru-yh**. Wilis' r flfBT-*-5>j sotcttu ^> 

r£T&^fc#^ft&fco5*T\ 32L<£^«Ifc*< 
£l">. -f yhHv hyXfAfrC^I.771/7 hiicfc 

y^-c^sisi*<^rru-/ hc<±, >-x-fA'j 
v-A<,zm-zmtT7*:xnmtf5-z.e>ti&<7)T\ 4 

v V 7 * •/ h i^x-rAiO-fe* a. 'J r 4 SrStfH" 
-rft^coTTi^y McJi. — &£ffl£><7>T7-tx}#jii> 

[0 0 24] 'JV— X-^CDT7-txa»£7*7V y r-£jg 
iRWtcSW^&f^tCiO. -fyh7+7^XfArt 

^jl— tfti. >jy— xswTr-tAZmmTTU-/ h 

izmrtliXSmt hZb *>'T'# h . 77U7HHV7 
7vx^^£7^-fflv^ft.l>7 7X7T'f/l4:: r S 
& (signature) j . 9 WW? fctt. -f 

yh?*7 M»«a < T7v •/ f TmtRmzfflwz'Z h «t 
olc-fS — ■xryfimxht. 7 7A7t4 /wmmtfb' 
Z X'h 5 A> 6 f IK "CS & <fc 9 C 7 7 X 7 r /Uc5« $ 
Wts. tth*>-?-7ftiii-&ztt,z£*). 
^7hy7fAli, 777.7r-fyu*^-f xx?yx± 

e^ft^rruy h (=*t s s-gj&T 7 -b x^tt *• fj 



ttSCttcJ: 0 . 7 5X7T^/l^\E(::^3E$ftT^ 
£ ^ fc' o tAzffif h mm & ff o Z b 1 nf igf c =5: £ . -s 
<7>7 5X7 r -f ;U"r -f s'WSi&S: ft »tS - tir^Itg 

1. Z-thT-i]4 V? r 4 lVVtmzr>\.\X\i. 123 (b) 

[ 0 0 2 5 3 f -f i?fn&&i:W1&Zb0>*ffi%7- 
/}4 77T4>\sZW-m?ZZbt,zJ:<0. T-ii 477 r 
4 ;KcftBrf& 7 5X 7 r 4 ^*>f>8tl££iT.& rri^ 
h (-< Xh5*7 hv-X-f^<73rtH7)lr->-r<l*HCj>Sr 
ri/»h) «±. -f Vh7*y hi^X-fArt^StRS^ 
yXf^'J y-xicr7-tx-c-^l)J:o^ : S:l>. 
-f77r^f/Wf^ ^*^/US^5-f-xy7-fl.C:i:(Cj: 

o» H-thtitzryv v httiEizgmzixfcfrb'o 

*\ t5 < kV : b'<7>3>VjL—7ffT7'l''y MCf^rttft 

•y htfDi£agA<££$:. ED*>ftST-^S*Xh^:7)*». 
S v Mi££X'^ ^»X h =2:7)*HCS^<- ^XT9 -feX«f« 

Tr-tAftmmwDaxizi*). j-— fit. mmx-z 
C 0 0 2 6 ] 123 ( b ) It. *&w<r>mj&&miz&hT 

It. Java (iES) T-i3AV (JAR) 7^-77 
KT*4. 7-i)472 10. ■ttct>7-*j4 77T4 
Mi. ^7/1*2 1 2 5-^T^S. ;7)^7m 
2 1 2li. 7-*l47'2 1 0^05^1x5:5112 LXT-tl 
471 1 OA^'JfflT'^ ST7-fex<OW</U£¥<j5t-rS7t: 

-miz. ^v?m%x2 1 2<i. T-i)47<7rt4 
Xizmttelim C*i(c®^$iiSt>£0-C-{i^: 
v^) $-*t?ffi7>IW«S:^^:-HR^-y^O-^i:-rSC 
fc^^T-^ >-*7/US=a-C-^>S. T-*^ 7"2 1 0 
ffit.^fgCORia7 5X. £FUfcf77X " 1 ' 2 0 

2. 75X "2" 204. ij«t^75X "N" 206. 
5-^rLTfcO. Cft^^)77X*>f,77U7 btiiim 

[00 27] SC. T-ti472 1 Oti. Mi. (fx- 7 
7"oy72 14<7)«fc5&raii7 J -:7ro-y7£ : ifrL-<:^ 
■CfcJ:^. 7-^7077 2 14^, -^^-v-'^x^X 
72 1 00— 3Cfc#i.^>ilSffiS<7)7 r -^ 
«M/CifVCfcJ:v>. ftSHMJBSX-ti. t-97u-, 
72 14(i. T-*-f 7"2 1 0Wim77X20 
2. 204feJ:^206*-Idj^S7 i ^XhXh';^7' 
S-^T^-CtJ:^. ttcOWUBHBTIi. T-ij A72 
1 0 Cf- 7 7n ••/ 7 ttft:\ i> J> S . 

[00 28] mz. 04 (al^m^f). 7 5K 

7 7^77b^U'JV-X^77-t:X 
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iWSffh -3-— f li. — i-ifx -f 1/7 h 'J 3 0 
2b 4 y^7i-^t5. i-if-f-f l/?h'J302 

^r-i-tfttfir-T'^^-fT'f l/7M;3 0 4rtLt^ 
CSOy^lfd PliU'ilUHotJava 

C£#-C£6. 7'7'>ff^7b l J3 04(i. -X-^f 
t- J: -> X'fihixhmMzm Lfcra^f -r 7 r -f 3 0 
6*t^'V^. 7DA'f ^ 7T^f^306li. 
i-f7!i7T7^X5@ (user preference item) 3 
0 8 St-SvCC'V rr'J 7 r 5^X^13 0 

tTt'$>£. Cfl^iDtttSKil 77^if-t-y hT-/7tC 
[00 29] ro/tf-f 7r W/U3 0 6(±. JL— IflCj: 

mm. zcoxoztimtzit. ^-yf-^/n 

■y7 3 10, f8fi£7W/l^S3 1 2. ioit/TVl—rtt 
£E7t4;^&3 1 4 tf-S-xil-O ^Tk i^. foh%Vm 
mX'li. 0-yf-7/o-/7 3 1011 S*(w*tJS 

« . $ ft*: 'J V -X Znfe-f h -t * a 'J X -f lea?- 

zmii-f&xh y yyx-hh. m&L? r -r /uo— wco 

v^Cti. 134 (b) SttLttfiblXT-cmtrt. ? 

fr-ntm ( r ^7 7j ) 7 7^/^3 1 4i±. 05 

(c) &mmL%tft>13a&-T&£o<,z. 771— 7*tt«7 
7 A )V~W%\t h XbV VfX'foh . 

[ 0 0 3 0 ] 04 ( b ) «. *«Bfl^liBB!Bt=fii*fll 
j£7T^/U^1S^D«lB&0-e£>&. M77>(;L'3 50 
li. 04 (a) $r#KL-C±^L^j:^ : S:lS*7T'f^ 
£3 1 2{Cio-C^5'I$ai»ffi«7r^yUC^-^J-C'$) 
4. M77'f^3 5 0J1 If— t^*>7 7^( 
TyhfrT^-t^LtV^- A_h<0'J V— X3 5 4 
«fD-rST7-fc:X7r-f;^3 5 6KW3SrtJfST— 7* 
/U3 5 2 -Tt'^, f-//l'3 5 2li. 
'J-/-^ 'W 3 54^xyh^77«77'f^ 
£ "?|J" 3 5 6 rt^lL--TI)Xy h >J (cWiSWJt-S . 'J 
7-7.3 5 4(1 -tC. a^rtfO^T-^'jy-X. #| 
iL^r^k *7,K V^vhtf, £ti£S'J-f 
-f- (classifier) Xfoh. 77-tX77-f;l/*3 5 6 
11 ffl&?hT9±X7T4fr&mtth. Z.<r>T7^ 
X7r4Mt. -fc^iUr-f IS^i:, 77«77-f 
/I »f+ It ^il T v ^5 >-7 -r 2* 'J y - X^COT 7 -fe X 
OW«KB5CRf*fl&<0flWBi:, &ieA,Wh. T7-fc7. 
VTJiWmmUZ. 05 (c) 5r#B3Li:WT-C'lECi? 
«=K9rt"* . ~otLh^) 'J y-7 3 5 4 *«R— 



X77^^356i77t7,77^f/Ul ZofcJlbO 

>j v—x3 54 (craafttts <r h ^*T# 4 . 

[0 03 1 ] 05 (c ) 2r#B3L^:* J ^r^-t7. 

77-tX77^f^3 6 Otl — f&lZ. T<J>i"W (pr 
incipal ) 3 6 2 rff*T3 6 4 tRBlft»t6-r-7'^3 
6 1 *r£v</C^&. 7';xy^3 6 2(1 H*c0+7. 

yl~7t'l>ottJ:^. fllitf. "java.com" Jl T'J 

yw?/U3 6 2tft| 1 I^^*xh. oSOt-A'tS 

oT^ctVi. ^.<7)fltlC. "java.com" fc "sun.com" 
**, 7"/l<— 7*fi07*U VvVNVU3 6 2Z&&LX i>£^. 
— a&OHMUBJBTCH 7'J>-W^3 6 2«>'. #5£<0T 
-/?'f7<7)S*# (signer) -> X t> <fc l ^ . f^3 6 
4(i» -tJri'Jf--fffi^i07'^-t:>-7' (grouping) 
Sr-^-iS. i-Zh*>. i i r^T3 64<i, 1^3 6 4*^^1 
fW^Jtrr 'J >is>*>V3 6 2#T7-tr7-f 6 'J y-7 
$• tgjg-T S -fe # a 0 r- -f 15*?^ 7*;l^- tT V T'T'ft S . 

[ 0 0 3 2 ] 05 ( d ) i±, *&wcDmimmiz&h7- 

>l—Ttitt ( r ^7 7j ) 7r 4^7=r-V -y h«0«{ 
B&mX'hh. ±5£Ltz£olz. 04 (a) i07"/U-rf± 
81 7 r 3 1 4 ti . 7'yP-7'ti:«7 t 4 Witi' 
7 , ^-rftai7r'f/U3 7 0, SrSS'ifS. 7*/W-7*ft 
«7r>f7P3 7 0{i, T';U-T*3 7 2«:ffiSfi0g:<7>^ 
W<3 7 4(2RBSf=t(tST— 7/1-3 7 1 Sr^-C't^. 
?)V-7*t 3 7 211 *«6<)(C{i. j< V/<3 7 4^ 

"1" 3 7 2all eSiO©<7)P< W<, 

" 1 " 3 7 4 a-tiiTS* >/<"2" 31 Ah. izffi&ft 

"1" 3 7 4a £ --PtLbcOT'/l'— 7** 372 CRHft 

[ 0 0 3 3 ] 06 Jl *^O^IS^®lC^oT 'J y- 
7.A.c0T7-b7.^Sr||fi : -r?,^&?r^-rro-t7.7o 

-^-v—h-C'J>5. Cc7)7*D-t:7sJi4 0 2*>^raiaL, 
Xf774 04tll Sf7 7^f7yh. ^Ji«f02cO 
77^7yh74^. -9-— A, #Utf02<7)irwC6 
OCWLrifajL^ffiJ^. 03 (a) $-#B?.LT±M 

Ltz^KtL OC077X7T4 tV. ft^vi{±03 

(b) i^m.tX±3&ttzT-^4yyr^ JW^-Ttl 

-i/x>h, -T^*>8ira<7)Ho t J a va (ffiS) 7 
^^if-^N etscapeNavigator 77 T 7if 
^if^yy^-f ZftLXKZixZ 9v4 TV hoftliL^ 

<>ya-K<i, >; y-7^77 -t7gf CE^Lt^ 
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[00 34] Xf7/4 0 bX'li. T—1j4-X?t4i\s 
7 yXiZr < i/flvm&tfttZiXX^^VlrS, IZH7 

yA7T4 ivtfn ;^:f< -J7ivm^ 

tt*zvO^*§-£tcii. T-tW 77 tJ/Wv- H$ 
tXh. T-f]4 77T-<Mi. ftfc^h7 7X7T4)V 

(i. 77X77^/Wo- KSrff i. 7 7 X7 t 4 ilstf 
mMSiW.lzn-YZtltztk. Xt- vT4 0 8X''.&, n- 

v*ixtz7 r 4 mzm LT^stt^tr n-txtmn^ 
ix&. zn&^te&i&Tcuzxiz. r-fj^yyr^iv 
A f o- K$ii7t:*S-£\ o- KSftfcT— *M 7" 7 r -f/|y 

7.xy7*r3-A/C^SA\ I^SttMrotxco 

[ 0 0 3 5 ] &3tt&£7a-fc7<Of£. Xf^74 1 0 
Tii. 77X77^W ! 77U7t-CSM$^. 
,b*>. n-K?ix/;77X7 7>f/M JAR77^f/l.i0 

77Uv r-#£j3; Xf7 7 

4 1 2 -CTTV ••/ h 7 r -i rt^'Ufi^ixS . 771^ y h 
cOUfftCffoXx yTCOOTW. 08£#8BL-C{s£E 

[ 0 0 3 6 ] 071;. *%PRcr>mifc&mizft.r>X7y7. 
7 7^W$MSfJ!f^f77. -f3r;b*>l26<0 
Xf 774 08f^t7o-fe77D-ft- h T'£> -5) » 
dc07o-fc7.(± s 7>7f75 0 2)5^0. Xf /7 

5 04T'{i. 7-7M77T'f/l^7*;<27 ; 77.7T'f/l/ 
CO <b *<o- K $ fu^tcK-f h P m tftc $ ft £ . 7 
yX7T4>Vtfn-Y : *ftX^iZ%&. 7n-fc7>7n- 
JiXT- yT5 0 6^jlA. ^:t-f*7 7XB!l (stan 
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METHOD AND APPARATUS FOR CONTROLLING 
SOFTWARE ACCESS TO SYSTEM RESOURCES 
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2. Claims 
IN THE CLAIMS: 



A method for controlling the degree of access to operating system resources for 
a software program running on a computer which computer is running said 
operating system, the method comprising the steps of: 

(a) defining said degree of access to said operating system resources for 
said software program; 

(b) examining at least one file associated with said software program to 
determine the degree of system-levci access available to said software program 
when said software program is being executed by said computer; 

(c) executing said software program on said computer; 

(d) intercepting a program instruction associated with said software 
program when said software program is being executed on said computer; 

(e) determining if said program instruction includes an operation that is 
outside said degree of sysiern-lsvel access available to said software program; 
and 

(0 executing said program instruction when it is determined that said 
software program has permission to access sysrem-leYel resources associated 
with said computer that arc within the degree of system-level access available to 
said software program. 



2. A method as recited in claim 1 wherein said step of determining if said program 
instruction includes an operation that is outside said degree of system-level 
access available to said software program comprises validating an identifier 
associated with said software program. 

3 . A method as recited in any one of the preceding claims wherein said step of 
executing said program instruction comprises desrminlng if said system-level 
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resources being accessed by said program instruction are protected system-level 
resources. 

4 . A method as recited in any one of the preceding claims wherein said software 
program comprises an applet. 

5 . A method as reciied in claim 4 wherein said applet is a Java applet 

6 . A method as recited in one of claims 4 and 5 wherein said applet is associated 
with a header, said header being arranged to include an identifier, said identifier 
being arranged to identify said an origin of said file. 

7 . A method as recited in claim 6 further including the step of validating said 
identifier to determine if said computer has permission to access said system- 
level resources. 

8 . A method as recited in one of claims 4-7 wherein said computer is a client 
computer and said applet is downloaded to said client computer from a server 
computer. 

9 . A method as recited in claim 8 wherein: 

(a) said step of examining includes determining the degree of system-level 
access to said server that is available to said applet when said applet is being 
executed by said client computer as defined by said defining a degree of access 
to said system-level resources associated with said server computer for said 
applet; 

(b) said step of determining includes determining if said program instruction 
to access system-level resources associated with said server computer includes 
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an operation that is outside said degree of system-level access available to said 
applet; and 

(c) said step of executing includes executing said program instruction to 
access system-level resources associated with said server computer when it is 
determined that said applet has permission to access system-level resources 
associated with said server computer that are within the degree of system- level 
access available to said applet. 



1 0. A method for controlling the degree of access to operating system resources for 
a software program ruruiing on a client computer which client computer is 
running said operating system, wherein at least some of said operating system 
resources reside on a server computer that is coupled with said client computer 
through a computer network, the method comprising the steps ot 

(a) defining said degree of access to said operating system resources for 
said software program; 

(b) loading at least one file including instructions for executing said 
software program on said client computer; 

(c) examining said at least one file to determine the degree of system-level 
access available to said software program when said software program is being 
executed by said client computer as defined by said step of defining said degree 
of access; 

(d) executing said software program on said client computer; 

(c) intercepting a program instruction associated with said software 
program when said software program is being executed on said client computer , 
(f) detemiining if said program instruction includes an ope ration that is 
outside said degree of system-level access available to said software program; 
and 
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(g) executing said program instruction when it is determined that said 
software program has permission to access systern-leve! resources chat are 
within the degree of system-level access available to said software program. 

11. A method as recited in claim 10 wherein said step of determining if said 
program instruction includes an operation that is outside said degree of system- 
level access available to said software program comprises validating an 
identifier associated wi-h said software program. 

12. A method as recited in one of claims 1 0 and 1 1 wherein said step of executing 
said program instruction comprises determining if said system-level resources 
being accessed by said program instruction are protected system-level 
resources. 

13. A method as recited in one of claim 10-12 further including the steps of: 

establishing a data transfer communication link between said client 
computer and said server computer across said computer network; and 

transmitting said at least one file from said server computer to said client 
computer across said computer network. 

14. A method for processing a request from a client to access a system resource 
associated with a first server, the method comprising the steps of: 

(a) calling a second server to initiate a download of files that are relevant to 
said request; 

Cd) loading said relevant files from said second server, said relevant files 
including an archive file, said archive file including at least one class file and a 
header, said header including an identifier arranged to indicate the origin of said 
archive file; 

(c) val idating said archive file; 
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[d) converting said class file into an applet; aud 

(e) executing said applet, said applet including at least one instruction, 
wherein executing said applet enables said client to access said system resource 
associated with said first server. 

15. A method for processing a request as recited in claim 14 wherein said step cf 
validating said archive file includes the sub-steps of: 

(a) authenticating said header; 

Cb) determining whether said header is valid; and 

Cc) perforraing a class verification on said class when it is determined that 
said header is valid. 

1 6. A method for processing a request as recited in one of claims 14 and 15 wherein 
said step of executing said spplet includes the sub-steps of: 

(a) determining whether said instruction is an instruction to execute a 
protected operation; 

(b) executing said operation when it is determined that said instruction is not 
an instruction to execute a protected operation; and 

(c) determining whether said operation is allowed when it is detemiined that 
said instruction is an instruction to execute a protected operation. 

17 . A computer system for controlling the degree of access to operating system 
resources cornprising: 

a first computer coupled with at least one memory device which holds 
therein at least one file including instructions for executing a software program, 
said software program running on said first computer, said first computer 
running said operating system, said first computer being configured to: 
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(a) define said degree of access to said operating system resources for said 
software program and said first computer being configured determine if a 
program instruction associated with said software; 

(b) load said at least one file including instructions for executing said 
software program on said first computer; 

(c) examine said at least one file to determine the degree of system-level 
access available to said software program when said software program is being 
executed by said first computer, 

(d) execute said software program on said first computer, 

(e) intercept i program instruction associated with said software program 
when said software program is being executed on said first computer. 

(f) determine if said program instruction includes an operation that is 
outside said degree of system-level access available ;o said software program; 
and 

(g) execute said program instruction when it is determined that said 
software program has permission to access system-level resources associated 
with said first computer that are within the degree of system-level access 
available to said software program. 

1 S . A. computer system according to claim 17 wherein said first computer is 

arranged to determine if said system-level resources being accessed by said 
program instruction are protected system-level resources. 

19. A computer-readable medium comprising computer-readable program code 
devices configured to cause a computer to perform the actions of: 
(a) defining said degree of access to said operating system resources foe 
said software program; 
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(b) examining at least one file associated with said software program to 
determine the degree of system-level access available to said software program 
when said software program is being executed by said computer; 

(c) executing said software program on said computer, 

(d) intercepting a program instruction associated with said software 
program when said software program is being executed on said computer; 
(c) determining if said program instruction includes an. operation that is 
outside said degree of systcm-lcvci access available to said software program; 
and 

(f) executing said program instruction when it is determined that said 
software program has permission to access system-level resources associated 
with said computer that are within the degree of systern4evel access available to 
said software program. 
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3. Detailed Description of invention 



BACKGROUND OF TEE INVENTION 

1 . Field of Invention 

The present invention relates generally to methods and apparatus for controlling 
the access to computer resources by software running ou a computer. More 
specifically, the present invention relates to methods and apparatus for controlling the 
access to system resources on a client computer by software downloaded to the client 
computer from a server computer. 

2. Background 

Prior to the rise of the personal computer, computer users were limited to 
operating software that ran on large, raainfrarnc computers using terminals that typically 
included a keyboard for entering data and commands and a video display device (or 
printer) for viewing output. Although mainframes provided very powerful computing 
platforms, they suffered from serious drawbacks. In particular, mainframes were 
expensive to install and operate and they required all users to be connected directly tc 
the mainframe through a terminal, which limited access to the mainframe for many 
people. In addition, users had very limited control over their computing environments, 
usually having to adapt their work styles and problems to suit the software and 
administration of the mainframe computer. 

Beginning in the late 1970"s personal computers began to overtake mainframes 
as the dominant computing platform for both personal, business, and scientific uses. 
For single users, persona] computers often could provide the same computing speed as 
the older mainframes that had to accommodate many processing jobs simultaneously. 
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In addition, software that ran on the personal computers became more "user- friendly," 
thereby allowing computer users to adapt both the computer and the software to.sui: 
their particular computation needs. The release from requiring a connection from a 
terminal to a mainframe allowed personal computers to be located just about anywhere 
within an organization or at home. This capability further assured the dominance of the 
personal computer over the mainframe as computing power could be located at sites 
where it was needed. No longer did users have to tailor their operations around large, 
expensive, finicky mainframe computing centers. 

As the computing power and data storage capacities of personal computers 
exploded throughout the 1980s, the dominance of the personal computer seemed to be 
assured. As the 1950s drew to a close, however, a new phenomenon began tc emerge 
which appears likely to overtake the personal computer revolution of the past two 
decades. Today, ever increasing numbers of personal computers are linked to each 
other through high speed data networks. The most popular network currently is the 
•Internet," which is the network comprising various business, academic, and personal 
computer sites across the globe. The popularity of the Internet, and more particularly, 
that aspect of the Internet referred to as the "World Wide Web/* has prompted many 
organizations to form internal computer networks, which are often referred to as 
"intranets." This interest in network computing has been sparked by a combination of 
high speed data networks and increasingly sophisticated network servers, routers and 
other devices which allow many independent personal computers to communicate 
efficiently. 

The attractiveness of the World Wide Web stems in part from its highly visual 
character, the same factor mat played a large role in the rise of the persona! computer 
and its dominance over the mainframe. Typically, the World Wide Web is organized 
into various "web sites** which typically comprise a server that transmits data to a client 
computer running a "browser/' The browser is software that provides a user with a 
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window and various controls through which data from the server can be viewed and 
navigated. A particularly useful feature of World Wide Web data is its ability :> be 
linked through hypertext commands such that users can quickly navigate from one 
document to another and even from one web she to another through very simple 
intuitive commands such as the activation of a mouse button. Using the World Wide 
Web, users can view and/or download text, graphics and hear sounds from sites all 
over the globe. In addition users can also download new software, or software capable 
of modifying programs already installed on the client computers. 

These same features available to users of the World Wide Web on the Internet 
can also be provided to users of a local network through an "intranet", a non -public 
computer network that includes clients and servers arranged analogously to the Internet. 
This capability has received increasing attention from many organizations as 
information useful to employees carrying our their assignments can be distributed 
quickly throughout the network to personal computers within the organization. In 
particular, many organizations are utilizing intranets to provide access to databases and 
custom software programs for individuals in the organization using such intranets. For 
example custom software applets created using the Java™ programming language 
(available commercially from Sun Microsystems of Palo Alto, California), can be 
operated in conjunction with software and data already installed on the remote computer 
which is either external or internal to me inoranet to provide users access to data and 
software specific to their job tasks without me difficulties associated with disseminating 
and maintaining many copies of special-purpose software as has been done 
traditionally. 

It is often desirable for software distributed through a secure intranet to have 
full access to the system resources of the client computer, whereas software distributed 
over less secure networks external to the intranet system generally are allowed tittle or 
no access to system resources, such as file moving capabilities, as such software 
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cannct always be trusted For example, some software applications include functions 
that install computer viruses on the host computer. Other software application^ may 
copy, alter, or delete critical data from the host computer and even forward that data to 
another computer system surreptitiously. Unfortunately, there is no viable method or 
apparatus to enable trusted software to access certain resources while restricting other 
software from accessing the same resource. Users are therefore left with a trade-off 
between enabling all software (trusted or suspect) access all system resources or 
limiting the access of all software in an effort to preserve the security of the client 
system 

Thus, it would be of great benefit to computer users, and especially computer 
users within organizations in which multiple computer users are connected through a 
computer network, to provide methods and systems for controlling resource access for 
both information and software over the network so mat the above-described problems 
associated with highly decentralized computer networks can be mitigated. As will be 
described here and below, the present invention meets these and other needs, 

SUMMARY OF THE INVENTION 

The present invention addresses the above-described difficulties in managing 
software distribution across networked computers by providing, in one aspect, a 
method, system, and software for controlling the access to server resources by selected 
software applications on a first computer acting as a client computer that is in 
communication with a second computer acting as a server computer on a computer 
network. 

In one aspect of the present invention, a method for controlling the degree of 
access to operating system resources for a software program running on a computer. 
The degree of access to the operating system resources is defined for the software 
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program, and at least one file including instructioas for executing the software program 
is loaded on the computer. The file is examined to determine the degree of system-level 
access available to the software program when the software program is being executed 
by the computer. The software program is executed, and a program instruction 
requesting access to secure resources associated with the software program is 
intercepted when chc software is being executed on the computer. A determination is 
then made to determine if the program instruction includes an operation that is outside 
of a degree of system-level access that is available to the software program, and if i: is 
determined that the software program has permission to access system-level resources 
associated with the computer that are within the degree of system-level access available 
to the software, the program instruction is execued. 

In another aspect of the present invention, a method for controlling the degree 
of access to system resources for a software program running on a client computer that, 
is running the operating system, where at least some of the operating system resources 
reside on a server computer that is coupled with the client computer, is provided. The 
degree of access to the operadng system resources for the software program is defined, 
and at least one file including instructions for executing the software program on Ihe 
client computer is loaded. The file is examined to determine the degree of system-level 
access available to the software program when the software program is being executed 
by the client computer. The software program is executed on the client computer, and a 
program instruction associated with the software program is intercepted when the 
software program is being executed on the client computer. A determination is made 
regarding whether the program instruction includes an operation that is outside die 
degree of system-level access available to the software program, and when it is 
determined that the software program has permission to access system-level resources 
that are within the degree of system-level access available to the software program, the 
program instruction is executed. 
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These, and other aspects and advantages of the present invention, will become apparent 
when the Description below is read in conjunction with the accompanying Drawings. 
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DETAILED DESCRIPTION OF THE DRAWINGS 

Certain embodiments of a method 2nd apparatus for controlling the access by 
applets to system resources will be described below making reference to the 
accompanying drawings. 

An illustration of one network in accordance with .the present invention is 
provided in Fig. la. Included in the network illustrated in Tig. la are intranets 102 and 
104 and an individual external computer shown at 106. The structure of intranets 102 
and 104 is described in greater detail below with respect to Fig. lb. Both the intranets 
and the user are connected to the computer network through a variety of computer 
gateways ('*G/W")_ In some embodiments, the computer network includes the Internet. 
Referring to Fig. la more specifically, intranet 102 is coupled with intranet 104 and 
user 106 through the Internet which is shown generally at 108. The connection 
between intranet 102 and the Internet 108 is provided first through a gateway 110 
which is coupled with intranet 102 and a "backbone " or high capacity dataline 1 12. 
Data from a high capacity line 1 12 is routed through gateway 1 14 through the Internet 
108 which data passes through a second gateway 116 and into high capacity dataline 
shown at 1 18. As will be appreciated by those of skill in the computer network arts, 
dataline 1 IS can be the same as dataline 1 12, or may represent a separate backbone to 
which various other individuals, or users, and networks are coupled- 
Data that travels from intranet 102 through the Internet I OS and over high speed 
dataline 118 passes through gateway 120 to intranet 104 or through gateway 124 to 
user 106. Thus, according to the illustrated embodiment, data can be passed among 
user 106, intranet 104, and intranet 102. In particular, the data may travel through the 
Internet 108 as just described, or may pass across backbone 118 between user 106 and 
intranet 104. In some embodiments, intranet 104 and intranet 102 can be coupled 
directly through network configurations known to those of skill in the art as 
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"extrancts". Entrances arc network arrangements in which a given network or 
individual is coupled with a remote network through a dedicated data connection. This 
connection may include data that is routed through the Interact, as illustrated in Fig. I a. 
or may be a direct data feed, such as through an ISDN or T-l dataline. Various 
configurations in addition to methods and materials for establishing such configurations 
will be apparent to those of skill in the computer network and telecommunications arts. 

One embodiment of an intranet, such as illustrated in Rg. la at 102 or 104, is 
provided in Fig. lb at 50. A typical intranet 50 includes a server 60 which is coupled 
with clients 62 and 64. In addition, server 60 can be coupled to other client computers 
such as shown at 70, 72, and 74 through a router, hub or similar data transfer device 
such as shown at node 68. In addition, remote clients (not shown) can be connected to 
server 60 either through a direct line or through the use of telephone lines using, e. a 
modem or similar device. In some cases, access to intranet 50 will be controlled to a 
high degree by a 'firewall" configuration which is illustrated by the box 75. The 
establishment of communications from users external to the firewall, such as remote 
client 7S, car. be achieved by traversing a gateway which allows access to the protected 
server. Such a gateway is illustrated a: 76. 

Typically, a server provides data and software that is accessible to the various 
clients which are in communication with the server, either directly or through a device 
such as a router. The construction, maintenance, and operation of the server, router, 
and various client machines will be well known to those of skill in the arc In some 
particular embodiments, server 60 will be configured to provide data that is compatible 
with browser software such as that used to view data on the World Wide Web. 
Specifically, the data provided by server 60 will be in the form of pages of data that can 
be examined using typical browser software. In one embodiment, the server and 
clients are configured to exchange not only data but computer software in the form of 
"applets," such as those written in the Java™ programming language available from 
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Sun Microsystems of Palo Alto, California "Applets" as used herein are software 
programs chat arc configured to be passed from a source computer, typically a server, 
to a client machine and run in conjunction with software already installed on the client. 
In one embodiment, the software with which the applet runs is the above-described 
browser software. Typically, applets provide additional functionalities to browser 
software by performing various computational tasks which the browser software itself 
is not configured to perform. Thus, users who download applets can provide the 
browser software with additional functionalities that arc not otherwise available to the 
browser sonware. Such additional capabilities can include, e.g., custom interfaces to a 
database. 

In general, a client, as for example client 62, calls into server GO using a user 
agent, or a browser. User agents include, but are not limited to. Hot Java™, available 
from Sun Microsystems, Incorporated of Palo Alto, California, and Netscape, available 
from Netscape Comrnuni cations Corporation of Mountain View, California. In one 
embodiment, the user agents generally includes a processing engine which executes the 
applet code, and a security manager used in the determination of whether an applet has 
access to certain system resources. Examples of such a security manager are provided 
herein belcw. 

According to one embodiment, a server, located either on the Internet or within 
an intranet, provides class libraries which contain class fdes that define an applet. One 
example of such a class library is a Java™ class library. Specifically, a server can 
contain the class files that make up the applet, and the particular Web pages including 
HTML code that references the applet. 

According to one erribodiment of the present invention, applets are instantiated 
from class files that are downloaded from a source computer, or a server, to a client 
rnachine. The class files may be grouped together into an archive file. Further, an 
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archive file can be digitally signed, or otherwise marked, such that the origin of an 
applet created from the archive file can be reliably determined. The signature of an 
archive file can then be verified in order to determine which system resources are 
accessible to the machine on which the applet is executing- The use of signatures 
enables the access to system resources of the client machine by the applet to be 
controlled, e.g.. by reference to the security status of the server from whete the applet 
originated. By way of example, an applet executing on one client may have different 
access Drivileges than the same applet executing on a second client by virtue of the fact 
that the permissions associated with the applet on each client may be different. This 
resource access control therefore enables applets associated with secure machines, e.g., 
machines in the same intranet as the machine which contains the resources, to have 
more access to resources than applets associated with unsecure machines, e.g., 
machines on the Internet. 

Fig. 2a is a diagrammatic representation of a collection of class files in 
accordance with an embodiment of the present invention. The format of the collection 
of class deta files, which is generally used on a server, is not arranged to accept 
signatures. That is, each class file typically defines a class residing on a server. The 
format is such that the collection includes any number of classes, as for example class 
"I" 202, class "2" 204, and class "N" 206. A class may be defined as a software 
construct that defines data and methods, or sequences of statements that operate on the 
data, which are specific to any applets that are subsequently constructed from that class. 
In other words, as previously seated, an applet may be constructed by instantiating a 
previously defined class. It should be appreciated that a single class may be used to 
construct many applets. 

The execurion of an applet usually entails requests, or commands, to access 
system resources. While an applet may contain instructions to access many different 
system resources, due to security concerns, an cpplet is either allowed access to ail of 
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the specified system resources or access to none of the specified system resources 
under present design restraints. As discussed above, this "all-or-nothing" approach to 
system resource access is often undesirable in that an applet running within an intranet 
system, for example, is "trusted," e. of known origin, while an equivalent applet 
running externally to the intranet system is considered to be un secure. As the applet 
running within the intranet system and the equivalent applet running externally are 
typically given the same access privileges to system resources, in order to maintain the 
security of the intranet system, the applets ax generally given no access privileges. 



The ability to selectively control applets from accessing resourcss enables a user 
within an intranet system to restrict access to resources on an individual applet basis. 
Including a "signature," or an identifier, with class files that arc used to instantiate an 
applet is one method which serves to enable an mtranet organization to selectively 
control applets. Signing, or marking, class files such that it is possible to determine 
where the class Ales originated enables an intranet system to determine the appropriate 
access privileges associated with an applet instantiated from the class files. In addition, 
signing class files farther enables a determination to be made regarding whether a class 
file has been tampered with. An archive file structure which permits a group of class 
files to be digitally signed will be described below with respect to Fig. 2b. 

By providing an archive file which can be digitally signed, it becomes possible 
to enable an applet, either internal and external to an mtranet system, that is constructed 
from the class files associated with the archive file to access selected system resources 
within the intranet system. Checking the digital signature of the archive file makes it 
possible to deterrnine whether a given applet has been tampered with, and which 
computers have signed the applet As such, access privileges may be allocated based 
upon whether the applet originated from a secure, or trusted, host or from an unsecure 
host In addition, in some embodiments, the allocation of access privileges enables 
users to decide which hosts are to be trusted and which arc not to be trusted. 
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Fig- 2b is a diagrammatic representation of an archive file data formar in 
accordance with an embodiment of the present invention. In the described 
embodiment, the archive format is a Java™ archive (JAR) format. Archive, or archive 
file, 210 includes a header signature 212 which is the signature that is typically used by 
a user agent to verity the validiry of archive 210 and to determine the levels of access 
available to archive 210. In general, header signature 212 is a digital signature which 
may be a pan of a general header that contains other information which inforrnation 
includes, but is not limited to, information corresponding to the size of the archive. 
Archive 210 has any number of associated classes, as for example class "1" 202, class 
,4 2" 204, and class "N" 206, from which applets and associated objects are instantiated. 

Additionally, archive 210 may have associated data blocks, as for example data 
block 214. Data block 214 may contain images, text, or any arbitrary data that is 
considered to be a part of archive 210. In one embodiment, data block 214 may contain 
a text string that describes classes 202, 204, and 206 that arc associated with archive 
210. It should be appreciated that in other embodiments, archive 210 may not include a 
data block. 

Referring next to Fig. 3a, an embodiment of a client-side directory structure will 
be described in accordance with the present invention. A user who makes a request to 
access a resource through a client generally interfaces with a user' directory 3C2. User 
directory 302 has an associated browser directory 304 which contains information 
relating to a browser, or a user agent. The browser may be any suitable browser, as 
for example the Ho Java™ browser as mentioned above. Browser directory 304 
includes a properties file 306 that is appropriate to the request made by the user. 
Properties file 306 typically includes user preference items 308 which are generally 
browser specifications that arc provided by the user. These specifications may include, 
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but are net limited to, data relating to browser set-up and behavioral properties 
associated with the browser. 

Properties file 306 further includes information that is relevant to the particular 
request made by the user. By way of example, such information can include an images 
data block 3 10, a configuration file name 3 12, and a group specification file name 3 1 4. 
In one embodiment, images data block 310 includes data file names, i.e., strings, 
which identify any images that arc associated with the request. A configuration file 
name 3 12 is a string that identifies a configuration file which is used to facilitate the 
mapping of a requested resource to associated security descriptors. One example of a 
configuration fde will be described below with reference to Fig. 3b. Group 
specification ("spec") file name 314 is a string which identifies a group specification 
file, as will be described below with respect to Fig. 3c. 

Fig. 3b is a diagrammatic representation of the structure of a configuration file 
in accordance with an embodiment of the present invention. Configuration file 350 is 
an example of a configuration file identified by configuration file name 312 as 
mentioned above with respect to Fig. 3a. Configuration file 350 includes a table 352 
which associates resources 354 on a server, i.e. , a server which the client wishes to 
access, with corresponding access file names 356. That is, table 352 associates an 
entry in the resources "column" 354 with a corresponding entry in the access file names 
"column" 356. Resources 354 are generally classifiers which identify various system 
resources, as for example files, hosts, and socket numbers. Access fUc names 356 
identify corresponding access files which contain security descriptors and other 
information that is relevant to the control of access to system resources with which 
access files arc associated. The structure of an access file will be described in more 
detail below with reference to Fig. 3c. It should be appreciated that due to the fact that 
more than one resource 354 may share the same security descriptor, access file names 
356 and, therefore, access files, may be associated with more than one resource 354. 
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Referring next to Fig. 3c, the structure of an access file will be described in 
accordance with an embodiment of the present invention. Access file 360 generally 
includes a table 361 which associates principals 362 with permissions 364. Principals 
362 may be individual hosts or groups of hosts. By way of example, "java.com" may 
be an individual host, i.e., a server, which is a principal 362. Alternatively, 
"java-com" and "sun.com* 1 may form a principal 362 that is a group. In some 
embodiments, principals 362 can also be the signers of particular archives. Permissions 
364 provide groupings of security descriptors. That is, permissions 364 are groupings 
of security descriptors which designate the resources that principals 362, with which 
permissions 364 arc associated, have access. 

Fig. 3d is a diagrurninatic representation of a group specification ("spec") file 
format in accordance with an embodiment of the present invention. As mentioned 
above, the group specification file name 314 of Fig. 3a identifies a group specification 
file, as for example group specification file 370. Group specification file 370 includes 
a table 371 that associates group names 372 with any number of members 374. Group 
names 372 are essentially identifiers that may be used to identify a group of member 
374. By way of example, a group name, as for example group 4 T' 372a* may be 
associated with any number of members, as for example member u 1 " 374a and member 
"2" 374b. It should be appreciated that a member, as for example member "i" 374a, 
may be associated with more than one group name 372. 

Fig. 4 is a process flow diagram which illustrates a method of executing a 
request to access a resource in accordance with an embodiment of the present invention. 
The process begins at 402 and in a step 404. a call is made from a requesting client, 
e.g., client 74 of Fig. lb, to a server, e.g., server 60 of Fig. lb, to initiate the 
download of either at least one class file, as described above with respect to Fig. 2a, or 
an archive file, as described above with respect to Fig. 2b. The request is received on 
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the server in response to a client call made through a user agent, i.e., a browser, as for 
example a HoJava™ browser or a Netscape Navigator browser as previously 
mentioned. The initiation of the downloading of either at least one class file or an 
archive file occurs in response to a request to access a resource and, hence, is a cail to 
execute an applet In one preferred embodiment, the archive file is a JAR file. 

In a step 406, either the archive file is loaded or the class files are loaded from 
the server into memory associated with the requesting client. In general, class files arc 
loaded if the classes are not in an archive file, e.g.* not digitally signed, and an archive 
file is loaded if the classes are digitally signed. It should be appreciated that the archive 
file has associated class files. As such, loading the archive file involves loading class 
files. After the class files arc loaded into memory, a validation process is performed on 
the loaded files in a step 403. The validation process, which includes the process of 
verifying whether the header signature associated with a loaded archive file Is valid, in 
the event that an archive file has been loaded, will be described below with reference to 
Fig. 5 

After the validation process, tn a step 410, the class files are converted into an 
applet. That is, an applet is abated in memory by instantiating the loaded class files, 
which may or may not be a part of a JAR file. Once the applet is created, the applet file 
is executed in a step 412. The steps associated with the execution of an applet will be 
described below with respect to Fig. 6. 

Fig. 5 is a process flow diagram which illustrates the steps associated with 
validating class files, i.e., step 403 of Fig. 4. in accordance with an embodiment of the 
present invention. The process begins at s:ep 502, and in a step 504, a determination is 
made regarding whether an archive file or a class file has been loaded. If a class file 
has been loaded, then process flow proceeds to a step 506 in which a standard class 
verification is performed. A standard class verification typically includes a check of ail 
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loaded class files and, therefore, classes, in order to ascertain whether anything in the 
class files may compromise security. In some embodiments, a check is made to 
determine if the security of a virtual machine, as for example a Java™ virtual machine, 
can be compromised. Standard class verification methods arc generally well known to 
those of ordinary skill in the art. Once the standard class verification is performed, the 
process of validating the class files is completed at 520. 

If the determination in step 504 is that an archive file has been loaded, then in a 
step 508, the header of the archive file is validated, or authenticated. The validation of 
the archive file generally involves an identification of the origin of the archive file based 
upon the header signature. That is, a check is made to establish the origin of the header 
signature and, therefore, the archive file. The validation may also include a check of 
whether data associated with the archive fde is intacL It should be appreciated that in 
some embodiments, an archive file may not include a header signature. By way of 
example, an archive file within an intranet may net be signed. In a step 510, a 
determination is made as to whether the header is valid. If the header is not valid, e.g , 
the content of the archive does not correspond with the signature, then in a step 5 14, an 
error flag or the like is raised. In one embodiment, the error flag may result in an 
exception being thrown. In another embodiment, the error flag may rcsul: in a message 
being returned to the requesting client. After the error flag is raised, the process of 
validating class files ends at 520. 

If the header is found to be valid in step 5 10. process flow moves from step 
510 to a step 512 which is the determination of whether any Classes associated with the 
archive file remain to be validated. If there is a class to be validated, then in a step 5 1 5, 
a standard class verification is performed. As previously described in step 506, a 
standard class verification includes a check of whether anything in a given class may 
compromise the security of a virtual machine. By way of example, Che security of a 
virtual machine may be compromised if something in a given class can overwrite files 
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or memory on the virtual machine. After the standard class verification is completed on 
the given class, process control returns to step 512 in which a determination is made 
regarding whether there are any more classes which are to be validated. Process 
control loops between steps 512 and 516 until a determination is made in step 512 that 
no more classes remain to be validated, at which point the process of validating class 
files is completed at 520. 

Fig. 6 is a process flow diagram which illustrates the steps associated with 
executing an applet in accordance with an embodiment of the present invention. That 
is, step 4 12 of Fig. 4 will be described. The process begins at 602, and, in a step 604, 
a determination is made as to whether the applet contains an instruction to execute an 
operation. The operation may generally be a call to access a system-level resource. If 
the applet does not contain an instruction to execute an operation, then the process of 
executing the applet ends at 616. If the applet does contain an instruction to execute an 
operation, then process flow proceeds to a step 606 in which it is determined whether 
the operation to be executed is a protected, e.g., secured, operation. That is, a 
determination is made regarding whether the operation is an operation to which access 
is controlled. If it is determined that the operation is not protected, then the operation is 
executed in a step 608, and process flow returns to step 604, which is the determination 
of whether there is an instruction to execute another operation. 

If it is determined in step 606 that the operation in the instruction to execute is 
protected, then process flow moves to a step 610 in which the applet security manager 
is called. The process of calling the security manager will be described in more detail 
below with reference to Fig. 7. The applet security manager typically controls the 
operations which are accessible to given applets. In one embodiment, the applet 
security manager is a Java™ applet security manager. In a step 612, it is determined 
whether the operation is allowed, brother words, step 612 is the determination of 
whether the applet has access to the operation which is to be executed If the operation 
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is allowed, then the operation is executed in step 608. From step 608, process control 
returns to step 604 which is the determination of whether there is an instructiotr to 
execute another operation. 

If the determination in step 612 is that the operation is not allowed, then an error 
condition occurs, which can be implemented by having an exception is thrown in step 
614, and the process of executing the applet ends at 61 6. It should be appreciated that 
in some embodiments, the step of throwing an exception may involve calling a throw 
function. In other embodiments, the step of throwing an exception may involve 
transmitting an error message which may be displayed by a user agent that is associated 
with the requesting client. In still other embodiments, the error handling may cause an 
interaction with the user to occur in the form of asking whether the user approves the 
performance of the operation by the applet. In such embodiments, access files can 
possibly be updated to permanently record the response provided by the user. 

Referring next to Fig. 7, the process of calling a security manager, i.e., step 
610 of Fig. 6, will be described. It should be appreciated that a user agent generally 
has only one associated security manager. The process of calling a security manager 
begins at 702 and in a step 704, the operation which is being called by the applet is 
identified. Although the operation may be any one of a number of operations, the 
operation is generally a read operation or a write operation. From step 704, process 
flow proceeds to a step 706 in which die name of trie resource associated with the 
operation is identified. In some embodiments, the name of the resource is passed into 
the call to the security manager and. hence, is readily identified. However, when the 
name of the resource is not passed into the call, the properties file, as previously 
described with respect to Hg. 3a, may be used to identify the associated resource. 

Once the associated resource is identified in step 706, the name of the access file 
which corresponds to the resource is identified using the configuration file, which was 
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described earlier with respect to Fig. 3b, that is associated with the applet. Permissioos 
corresponding to the applet are then obtained from the access file in a step 710. It 
should be appreciated that in some embodiments, the appropriate access file may be a 
representation of the acaial access file in memory. The access file, as described above 
with respect to Fig. 3c. associates individual hosts or groups with a set of permissions. 
After the permissions are obtained, the call to the security manager is completed at 7 12. 



Fig. 8 illustrates a typical computer system in accordance with the present 
invention. The computer system 830 includes any number of processors 832 (also 
referred to as central processing units, or CPUs) that is coupled to memory devices 
including primary storage devices 834 (typically a read only memory, or ROM) and 
primary storage devices 836 (typically a random access memory, or RAM). As is well 
known in the art, ROM 834 acts to transfer data and instructions uni-directicnally to the 
CPU and RAM 836 is used typically to iransfer data and instructions in a bi-directional 
manner. Both primary storage devices 834, 836 may include any suitable computer- 
readable media as described above. A mass memory device 838 is also coupled bi- 
directionally to CPU 832 and provides additional data storage capacity. The mass 
memory device 838 may be used to store programs, data and the like and is typically a 
secondary storage medium such as a hard disk thai is slower than primary storage 
devices 834, 836. Mass memory storage device 838 may take the form of a magnetic 
or paper tape reader or some other well-known device. It will be appreciated that the 
information retained within the mass memory device 838, may, in appropriate cases, be 
incorporated in standard fashion as part of RAM 836 as virtual memory. A specific 
mass storage device such as a CD-ROM 834 may also pass data uni-directionally to the 
CPU- 
CPU 832 is also coupled to one or more input/output devices 840 that may 
include, but are rot limited to T devices such as video monitors, track balls, mice, 
keyboards, microphones, touch-sensitive displays, transducer card readers, magnetic 
or paper tape readers, tablets, styluses, voice or handwriting recognizers, or other well- 
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known input devices such as, of course, other computers. Finally, CPU 832 
optionally may be coupled to a computer or telecommunications network, e.f.^an 
Internet network or an intranet network, using a network connection as shown 
generally at 812. With such a network connection, it is contemplated that the CPU 
might receive information from the network, or might output information to the 
network in the course of performing the above-described method steps. The above- 
described devices and materials will be familiar to those of skill in the computer 
hardware and software arts. Further, it should be appreciated by those skilled in the art 
thai the above described hardware and software elements, as well as networking 
devices, are of standard design and construe don. 

The computer-implemented methods described herein can be implemented using 
techniques and apparatus that are well-known in the computer science arts for executing 
computer program instructions on computer systems. As used herein, the term 
"computer system" is defined to include a processing device (such as a central 
processing unit, CPU) for processing data and instructions that is coupled with one or 
more data storage devices for exchanging data and instructions with the processing 
unit, including, bat not limited to, RAM, ROM, CD-ROM, hard disks, and the like. 
The data storage devices can be dedicated, i.e., coupled directly with the processing 
unit, or remote, i.e., coupled with the processing unit over a computer network. It 
should be appreciated that remote data storage devices coupled to a processing unit over 
a computer network can be capable of sending program instructions to a processing unit 
for execution on a particular workstation. In addition, the processing device can be 
coupled with one or more additional processing, devices, either through the same 
physical structure (e.g., a parallel processor), or over a computer network (e.g.. a 
distributed processor.). The use of such remotely coupled data storage devices and 
processors will be familiar to those of skill in the computer science arts (see, e.g., 
Ralston 1993). The term "computer nc^vork" as used herein is defined to include a set 
of communications channels interconnecting a set of computer systems that can 
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communicate with each other. The communications channels can include transmission 
media such as. but not limited to, rwisted pair wires, coaxial cable, optical fibers, 
satellite links, or digital microwave radio. The computer systems can be distributed 
over large, or "wide,** areas (e.g., over tens, hundreds, or thousands of miles, WAN], 
or local area networks {e.g.. over several feet to hundreds of feet, LAN). Furthermore, 
various local-area and wide-area networks can be combined to form aggregate networks 
of computer systems. One example of such a confederation of computer ne: works is 
the "Internet". 

. Although only a few embodiments of the present invention have been 
described, it-should be understood that the present invention may be embodied in many 
other specific forms without departing from the spirit or the scope of the present 
invention. By way of example, although only one configuration of an archive file data 
structure which may be signed has been described, it should be appreciated that the 
archive file data structure may be widely varied within the scope of the present 
invention. Further, steps involved with a method of executing a request to access 
system resources may be reordered. Steps may also be removed or added without 
departing from the spirit or the scope of the present invention. Therefore the described 
embodiments should be taken as illustrative and no I restrictive, and the invention 
should be deftned by the following claims and their fall scope of equivalents. 
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4. Brief Description of Drawings 

The invention, together with further advantages thereof, may best be 
understood by reference to the following description taken in conjunction with the 
accompanying drawings in which:. 

Fig. ia is a diagrammatic representation of a wide area computer network in 
which both users and intrane:s arc coupled by a computer network through the Interne:. 

Fig. lb is a diagrammatic representation of a conventional intranet system. 

Fig. 2a is a diagrammatic representation of a collection of class files in 
accordance with an embodiment of the present invention. 

rig. 2b is a diagrammatic repress nta:icn of an archive flic data format in 
accordance with an embodiment of the present invention. 

Fig. 3* is a diagrammatic representation of a clienc-sidc directory structure in 
accordance with an embodiment of :he present invention. 

Fig. 3b is a diagrammatic representation of the structure of a client-side 
configuration file in accordance with an embodiment of the present invention. 

Fig. 3c is a diagrammatic representation of the structure of a client-side access 
file in accordance with an embodiment of the present invention. 

Fig. 3d is a diagrammatic representation of the. structure of a client-side group 
specification file in accordance with an embodiment of the present invention. 

Fig. 4 is a process flow diagram which illustrates a method of executing a 
request to access a resource in accordance with an embodiment of the present invention. 

~rig. 5 is a process flow diagram which illustrates the steps associated with 
validating class files in accordance with an embodiment of the present invention. 

Fig. 6 is a process flow diagram which illustrates the steps associate with 
executing an applet in accordance with an embodiment of the present invention. 

Fig. 7 is a process flew diagram which illustrates the steps associated with 
catfing a security manager in accordance with an embodiment of the present invention. 

Fis. 3 is a diagrammatic representation of a computer system in accordance with 
the presen: invention. 
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1. Abstract 

Methods, systems, and software for installing and operating selected software 
applications on a client computer that is in communication with a server computer on a 
computer network are described. In one aspect of the present invention, a method for 
controlling the degree of access to operating system resources for a software program 
running on a computer that is running said operating system is provided. The degree 
of access to the operating system resources is defined for the software program, and at 
least one file including instructions for executing the software program is loaded on the 
computer from the server computer. The file is examined to determine the degree of 
system-level access available to the software program when the software program is 
being executed by the computer. The software program is executed, and a program 
instruction associated with the software program is intercepted when the software is 
being executed on the computer. A determination is then made to determine if the 
program instruction includes an operation that is outside of a degree of system-level 
access that is available to the software program, and if it is determined that the software 
program has permission to access system-level resources associated with the computer 
that are within the degree of system-level access available to the software, the program 
instruction is executed, 

2. Representative Drawing 

Fig. 4 



